Notifications
Clear all
Topic starter
07/06/2026 8:26 pm
TL;DR: MCP is shifting from pure request-response to sampling, URL-mode elicitation, and form-mode elicitation so servers can collaborate with models and users without losing explicit control, according to WorkOS. The key issue is not autonomy, but the trust boundary changes that appear when servers begin participating in runtime decisions and sensitive flows.
NHIMG editorial — based on content published by WorkOS: Beyond request-response, how MCP servers are learning to collaborate
By the numbers:
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
- 53% of MCP servers expose credentials through hard-coded values in configuration files.
Questions worth separating out
Q: How should security teams govern MCP workflows that mix models, servers, and users?
A: Treat MCP as a delegated workflow problem, not just a protocol feature set.
Q: Why do MCP collaboration patterns change IAM and NHI assumptions?
A: Because they move important decisions into runtime.
Q: What breaks when MCP servers are allowed to initiate actions?
A: The clean request-response assumption breaks first, followed by the audit trail that depends on a single initiating identity.
Practitioner guidance
- Map collaboration checkpoints to identity controls Identify every sampling, elicitation, or external authorisation step in MCP-enabled workflows and assign a named owner for approval, logging, and exception handling.
- Keep credential-bearing flows out of model context Require OAuth, SSO, payment, and token exchange to occur only through trusted external surfaces, with the model and client treated as untrusted for secret handling.
- Define policy for server-initiated actions now If your MCP roadmap includes bidirectional tool calls, predefine which tools a server may invoke, what runtime signals can trigger them, and which approvals must precede any server-originated execution.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Detailed examples of how sampling, URL-mode elicitation, and form-mode elicitation behave in live MCP workflows.
- The specific control-flow implications of moving authentication and clarification outside the model context.
- Discussion of the SEP-1006 bidirectional tool-call proposal and the security trade-offs it introduces.
- The article's concrete examples of how servers, models, and users share responsibility in production MCP deployments.
👉 Read WorkOS's analysis of MCP server collaboration and elicitation patterns →
MCP server collaboration: are your trust boundaries keeping up?
Explore further
07/06/2026 10:20 pm
Server collaboration is not the same as server autonomy. MCP’s new patterns still rely on explicit checkpoints, human review, and constrained execution. That matters because many identity programmes will misread collaborative workflow as a reason to relax governance when the opposite is true. The stronger the server’s role in workflow coordination, the more carefully teams must define where trust begins and ends.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- 48% of organisations still lack a complete blind spot for compliance and breach investigation when they cannot track and audit the data their AI agents access, according to SailPoint research.
A question worth separating out:
Q: Should organisations treat MCP server collaboration as a Zero Trust problem?
A: Yes, but only if Zero Trust is applied to identity boundaries as well as network paths. The important question is whether each collaboration step is explicitly authorised, observable, and limited to the minimum required scope. If a workflow can cross from model context into authentication or execution without a clear trust boundary, it is already outside healthy Zero Trust practice.
👉 Read our full editorial: MCP server collaboration raises new identity and trust boundaries
